A critical security vulnerability affecting the GNU InetUtils telnet daemon (telnetd) has been disclosed, presenting a severe risk to unauthenticated remote attackers seeking to execute arbitrary code with elevated privileges. The flaw, identified as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0, underscoring its severity. Cybersecurity researchers at Israeli firm Dream discovered and reported the vulnerability, which impacts all versions of the Telnet service implementation up to 2.7. A patch is anticipated by April 1, 2026.
This critical telnetd vulnerability allows an attacker to exploit a buffer overflow within the LINEMODE Set Local Characters (SLC) suboption handler. The exploit can be triggered during the initial connection handshake, even before a login prompt appears. This means an attacker needs only a single network connection to port 23 to initiate the attack, requiring no credentials, user interaction, or specialized network positioning.
Critical Telnet Vulnerability Exposes Systems to Remote Code Execution
The discovery highlights a significant security gap in a widely used network protocol. The SLC handler is responsible for processing option negotiation during the Telnet protocol handshake. However, the vulnerability in CVE-2026-32746 allows malicious actors to weaponize this process immediately upon establishing a connection by sending specially crafted protocol messages.
Successful exploitation of this critical telnetd vulnerability could lead to a complete compromise of the affected system, especially if telnetd is running with root privileges. This level of access enables attackers to perform a range of post-exploitation activities. These can include deploying persistent backdoors, exfiltrating sensitive data, and utilizing the compromised host as a pivot point for lateral movement within a network.
“An unauthenticated attacker can trigger it by connecting to port 23 and sending a crafted SLC suboption with many triplets,” stated Adiel Sol, a security researcher at Dream. “No login is required; the bug is hit during option negotiation, before the login prompt. The overflow corrupts memory and can be turned into arbitrary writes. In practice, this can lead to remote code execution. Because telnetd usually runs as root (e.g., under inetd or xinetd), a successful exploit would give the attacker full control of the system.”
Mitigation and Future Outlook for Telnet Security
In the absence of an immediate fix, several mitigation strategies are recommended to protect against this telnetd vulnerability and similar threats. Organizations are advised to disable the Telnet service if it is not essential for their operations. Where Telnet is necessary, running the daemon without root privileges can limit the potential damage from a successful exploit. Network administrators should also block port 23 at the network perimeter and on host-based firewalls to restrict external access, and carefully isolate any remaining Telnet access.
This disclosure follows closely on the heels of another critical security flaw found in GNU InetUtils telnetd, CVE-2026-24061, which also allowed for root access and has reportedly been under active exploitation in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency. The ongoing discovery of severe vulnerabilities in Telnet underscores the need for organizations to re-evaluate their reliance on this older, less secure protocol and consider more modern, encrypted alternatives for remote access.
The development team behind the GNU InetUtils telnetd is expected to release a fix for CVE-2026-32746 by April 1, 2026. Users and administrators should monitor for the availability of this patch and apply it as soon as possible to safeguard their systems against this significant remote code execution risk.